Adding an Active Directory domain for use with IWA

Active Directory (AD) domains to be used with IWA must be joined by both Content Gateway and directory members (clients).

If you are using IWA for the first time, see Integrated Windows Authentication, for a complete description of support and use.

To join a domain:

  • Content Gateway must be able to resolve the domain name.
  • Content Gateway system time must be synchronized with the domain controller’s time, plus or minus 1 minute.
  • The correct domain Administrator name and password must be specified.
  • There must be TCP/UDP connectivity to the domain controller(s) (ports 88, 389, 445).
  • If backup domain controllers are configured, they and their Kerberos Distribution Center (KDC) services, must be reachable by Content Gateway on the network.

To specify and join a domain:

Steps

  1. Go to Configure > Security > Access Control > Domains and click New Domain.
  2. Select Integrated Windows Authentication from the Authentication Method drop down box.
  3. In the Domain Identifier field, enter a unique name that will help you recognize the domain and its purpose.
  4. Optionally, configure the Aliasing option. For information, see Unknown users and the ‘alias’ option.
  5. In the Domain Name field, enter the fully qualified domain name. For example, ad1.example.com.
  6. In the Administrator Name field enter the Windows Administrator user name.
  7. In the Administrator Password field enter the Windows Administrator password.
    The name and password are used only during the join and are not stored.
  8. Select how to locate the domain controller:
    • Auto-detect using DNS
    • DC name or IP address

      If the domain controller is specified by name or IP address, you can also specify backup domain controllers in a comma separated list, no spaces.

  9. Confirm the Content Gateway Hostname.
    Warning: Do not change the hostname after the domain is joined. If it is changed, IWA immediately stops working and will not work again until the domain is unjoined and then re-joined with the new hostname.
  10. Click Join Domain.

    The Joined Domain Connections section of the Monitor > Security > Integrated Windows Authentication page displays a list of joined domains and connections, and provides a diagnostic test function.

    For troubleshooting tips, see Failure to join the domain.